Recognition keys access

By
Kimberly Patch,
Technology Research NewsPasswords are a problem. To be secure,
a password must be non-obvious and changed often. Given the number of
passwords the average person uses, and given the difficulty of keeping
non-obvious and constantly changing passwords straight, it's not surprising
that many people don't like them.

Researchers from Hebrew University in Israel are addressing the
problem with a scheme that allows people to use a type of password that
they don't have to consciously remember.

The scheme taps the way people learn through the instinctive imprinting
process. When a person learns information via imprinting, he can recognize
the information later but can't recall it in a way he can describe to
someone else.

The scheme is fairly secure because it is truly random and cannot
be stolen or shared voluntarily, said Scott Kirkpatrick, a professor of
engineering and computer science at Hebrew University. "We don't know
what we know."

The idea came from thinking about human memory as an inherent
one-way function, said Kirkpatrick. A one-way function is a mathematical
formula that is easy to solve in one direction but difficult solve in
the other. Factoring, for instance, is a common mathematical one-way function.
It is easy to multiply the factors of a number together to get the number,
but difficult to derive the factors from the number, especially with very
large numbers.

The way the human brain deals with complexity can be thought of
as a one-way function, according to Kirkpatrick. It stores images with
little conscious awareness of what was learned, and are easily recognized
but difficult to describe, especially in detail.

The researchers' prototype system involves training a user on
a series of images. To be authenticated a user must recognize a few of
the images. Pictures, pseudo words and artificial grammar can all be used
as items to be recognized. These three types of imprinting data have been
thoroughly explored in perception and cognitive psychology literature,
Kirkpatrick said.

The researchers tested users on prototype systems that used each
of the three types of input.

In tests of the picture version, users went through a two-step
process to get a set of user certificates, or unconscious passwords. Users
were first shown a set of 100 to 200 pictures randomly selected from a
database of 20,000 pictures. Pictures were organized in groups of 2 to
9 pictures with a common theme, and each user was certified on one picture
from a given theme group. The user then practiced choosing certificate
images from entire theme groups.

Later, in lieu of passwords, users identified most of a short
series of certificate images. To guard against eavesdropping, each certificate
picture is only used once, and the user retrains when they run low.

Subjects were able to recognize previously seen pictures with
better than 90 percent accuracy for up to three months. According to the
researchers' calculations, the chances that a user who guesses correctly
four times in a row is an imposter is less than 1,000th of one percent.

Picture groups whose individual differences were more distinct
were easier to retain over time, and recognition was just as good when
picture groups contained six to nine pictures as when they contained just
two pictures, according to Kirkpatrick.

In similar tests using pseudo words that are pronounceable in
English but do not exist as valid words, accuracy rates varied from 70
to 90 percent over a three-month period. In similar tests using artificial
grammar patterns accuracy rates varied more widely, with the best subject
achieving a rate of 75 percent.

It is not difficult to make the basic scheme work, but there are
challenges in making it practical, said Kirkpatrick. "We're finding many
challenges in making the scheme compact, making it possible to use a smaller
set of learned images repeatedly without giving the secret away to an
eavesdropper, in making training easy and pleasant," he said.

The researchers are working on improving training, on identifying
what learned information is most widely accessible, and on identifying
variants of the scheme that meet the needs of different security levels,
said Kirkpatrick.

Eventually, the method could be used as a part of more elaborate
security systems, according to Kirkpatrick.

"I like the idea of developing computer-human interfaces in which
the computer is a skeptic [and so] doesn't perform the actions of which
it is capable until the human has convinced it that the need is genuine
and the human is an appropriate person for whom to perform this action,"
he said. "This might lead to greater safety for all of us."

The method could be used practically within two years, according
to Kirkpatrick. Kirkpatrick's research colleague was Daphna Weinshall.
The researchers presented the work at the Computer Human Interaction (CHI)
2004 conference in Vienna, Austria, on April 24 to 29.